Article

Home » Client-side Coding » XML, XSLT & Web Services » Getting Started with XML Security

Getting Started with XML Security

Page: 1 2 3 4 5 6 7 8 9 10 11 12 Next

Authentication and Authorization Assertions: Security Assertion Markup Language (SAML)

Purpose and Benefits

Authentication is the process of establishing identity. This is required to limit access to resources, to identify participants in transactions, and to create seamless personalization of information based on identity. A means of sharing the fact that authentication has been performed successfully is necessary to allow "single sign-on" as well as to allow third party authentication services.

An example is a travel portal offering destination information, flight schedules, the ability to make reservations and other services. To a customer, it should appear as a single web site, but in fact different systems may be cooperating to implement the service. For usability and transparency, a customer should only need to authenticate once to the portal, and information on the successful authentication should be shared with the different underlying systems, with some validity period. A general requirement when using multiple networked systems is "single sign-on" - authenticating once and then sharing the result of authentication with multiple systems to avoid repeated authentication.

Related to authentication is authorization, the process of determining whether an authenticated party should be able to access a resource or perform an action. To give an example, human resources salary information may only be accessible to certain employees of a company, or only to members of the HR group. Such access control is based on the authenticated identity of an individual. To give another example, only specific individuals or individuals acting in specific roles should be able to enter into high value transactions on behalf of a company. Access control rules may be based on authenticated identity, the resource or action and other information, such as the time of day, day of week, or content of transactions.

Features

The XML Security Assertion Markup Language (SAML) defines an XML vocabulary for sharing security assertions, including authentication and authorization assertions, enabling "single sign-on" and third party management of these functions. It also defines a Request/Response protocol definition and an XML protocol (SOAP) binding. The SAML specification defines a general assertion framework, allowing assertions to be given validity time periods, and allowing assertions to be targeted to specific audiences (avoiding the potential for misuse). Assertions are associated with a given "subject" or named entity.

Key Concepts

The SAML specifications define:

  1. An XML vocabulary for expressing authentication and authorization assertions, allowing statements about how and when authentication and authorization occurred to be passed among parties.

  2. A request response protocol for conveying SAML assertions, as well as an XML protocol (SOAP) binding.

  3. Unique identifiers (URNs) for different authentication mechanisms and authorization actions.

  4. How digital signatures are associated with assertions.

SAML allows authentication information to be shared by creating an assertion that a subject was authenticated in a specific manner at a specific time. Different techniques for establishing identity are supported, ranging from use of a password to use of hardware tokens and personal physical attributes (biometrics). SAML allows assertions to specify which type of authentication mechanism was used and supports a variety of accepted mechanisms.

A SAML AuthorizationDecisionStatement may be used to assert that a request by a subject to access a specified resource has resulted in the specified decision, and may optionally include evidence to support the decision.

The SAML security considerations document discusses issues of security and privacy associated with SAML. For details see the SAML specifications [ SAML ].

Examples

The following simplified authentication assertion example states that John Doe was authenticated using SSL client certificate authentication:

<Assertion>      
   <!-- Conditions may include optional XML attributes        
   defining a time period for validity -->      
   <Conditions NotBefore="dateTime" NotOnOrAfter="dateTime">      
       <!-- limit who can rely on this assertion -->      
       <AudienceRestrictionCondition>      
           <Audience>http:/www.example.com/Members</Audience>      
       </AudienceRestrictionCondition>      
   </Conditions>      
   <!-- Optional Advice used to include supporting        
   evidence, proofs, assertions, pointers to updates etc.        
   One or more of the possible sub-elements. -->      
   <Advice>      
       <AssertionIDReference>id</AssertionIDReference>      
       <!-- refer to other supporting assertion -->      
       <Assertion>...</Assertion>      
   <!-- provide inline information -->      
   </Advice>      
   <!-- Authentication - example:      
        SSL client certificate authentication -->      
   <AuthenticationStatement AuthenticationMethod="urn:ietf:rfc:2246"        
                            AuthenticationInstant="dateTime">      
       <Subject>      
           <NameIdentifier        
             Format="urn:oasis:names:tc:SAML:1.0:assertion#emailAddress">      
               john_doe@example.com        
           </NameIdentifier>      
       </Subject>      
   </AuthenticationStatement>      
   <ds:Signature>      
       XML Digital Signature for assertion      
   </ds:Signature>      
</Assertion>
Example 12 - SAML Authentication Assertion

The SAML specifications allow more complicated authentication statements, including the ability to include information needed to confirm subject identity, such as <KeyInfo> - see the SAML specification for details [ SAML ].

The following example shows a response permitting John Doe to access a web resource:

<Assertion>      
   <!-- Conditions with optional XML attributes defining a      
        time period for validity -->      
   <Conditions NotBefore="dateTime" NotOnOrAfter="dateTime">      
       <!-- limit who can rely on this assertion -->      
       <AudienceRestrictionCondition>      
           <Audience>http:/www.example.com/Members</Audience>      
       </AudienceRestrictionCondition>      
   </Conditions>      
         
   <!-- Decision choices: "Permit", "Deny", "Indeterminate"-->      
   <AuthorizationDecisionStatement Resource=      
   "http://www.fjhirsch.com/info" Decision="Permit">      
       <Subject>      
           <NameIdentifier        
             Format="urn:oasis:names:tc:SAML:1.0:assertion#emailAddress">      
               john_doe@example.com        
           </NameIdentifier>      
       </Subject>      
       <Action Namespace="urn:oasis:names:tc:SAML:1.0:action:rwedc">      
           Read      
       </Action>      
       <Evidence>      
           <AssertionIDReference>LOG-Abc12Z</AssertionIDReference>      
       </Evidence>      
   </AuthorizationDecisionStatement>      
   <ds:Signature>      
       XML Digital Signature for assertion      
   </ds:Signature>      
</Assertion>
Example 13 - SAML Authorization Assertion

If you liked this article, share the love:
Print-Friendly Version Suggest an Article

Sponsored Links

Topics

SitePoint Jobs

ยป We're Hiring!

SitePoint Newsletters

Get all the latest tips on Advanced Design and Layout by signing up to all of SitePoint’s informative newsletters.

HTML   Plain


View Our Privacy Policy
Sample Our Newsletter Archives

Follow SitePoint on...

Related Forum Discussions

Related Forum: Databases

  1. How can I relate this two tables?
  2. How Does Indexing Work?
  3. help with this Select statment...
  4. Count of users who authenticated this month
  5. SQL Server: MS Exchange as a linked server?